API Security

At Moneyhub, security is built into the foundation of our platform. We employ a defense-in-depth strategy to protect our APIs, aligning our controls with industry standards to protect the integrity and confidentiality of the data we hold.

Core Security Measures

Continuous Assurance: Our platform is subject to annual penetration tests conducted by independent, CREST-certified security firms. These testers are explicitly mandated to target a variety of threats and vulnerabilities, including those listed in the current OWASP Top 10.

Perimeter Defense (WAF): All public-facing services are shielded by a Web Application Firewall (WAF). We configure strict rulesets to detect and reject requests containing malicious payloads, actively blocking common vulnerability classes such as SQL Injection (SQLi), Cross-Site Scripting (XSS), and Server-Side Request Forgery (SSRF).

Strict Authentication: We utilize Financial-grade API (FAPI) standards for all interactions. Individual endpoints enforce standardized authentication and authorization checks to strictly verify the origin of every request.

Data Access Control: We implement rigorous protections against Broken Object Level Authorization (BOLA/IDOR) at the data-access layer. Every query is logically scoped to specific clients and consenting users, ensuring data cannot be accessed without explicit permission.

Verification & Resources

While we do not publicly publish specific WAF configurations for security reasons, our compliance with these standards is formally attested in our audit reports.

• Moneyhub Trust Center: Request access to our Penetration Test Executive Summaries, ISO 27001 certifications, and internal policies and procedures.
• Developer Documentation: Review the technical specifications of our OpenID Connect (OIDC) and authentication flows.